Maturity Model
CISM aspirants are expected to understand the basic details of a maturity model.
A maturity model is a tool that helps the organization assess the current effectiveness of a process and determine what capabilities they need to improve their performance.
Capability maturity models (CMMs) are useful to determine the maturity level of governance processes. The following list defines the different maturity levels of an organization:
- Level 0: Incomplete: On this level, the process is not implemented or does not achieve its intended purpose.
- Level 1: Performed: On this level, the process can achieve its intended purpose.
- Level 2: Managed: On this level, the process can achieve its intended purpose. Also, the process is appropriately planned, monitored, and controlled.
- Level 3: Established: Along with what is required for a Level 2 process, there is a well-defined, documented, and established process to manage the process.
- Level 4: Predictable: On this level, the process is predictable and operates within the defined parameters and limits to achieve its intended purpose.
- Level 5: Optimized: This is the level at which the process is continuously improved to meet the current as well as projected goals.
The CMM uses a scale of 0 to 5 based on process maturity level. It is the most common method applied by organizations to measure their existing state and then determine the desired one.
Maturity models identify the gaps between the current state of the governance process and the desired state. This helps the organization to determine the remediation steps required for improvement. A maturity model calls for continuous improvement in the governance framework. This requires continuous evaluation, monitoring, and improvement to move toward the desired state from the current state.
The process performance and capabilities approach also provides a detailed perspective of the maturity levels, just like the maturity model.
Key Aspects from the CISM Exam Perspective
The following are some key aspects from the exam perspective:
Question |
Possible Answer |
Which models are used to determine the extent and level of processes? |
|
What is the best way to determine the continuous improvement of the risk management process? |
The adoption of the maturity model |
Practice Question Set 7
- As an information security manager, you recommend adopting a maturity model for the organization's information security governance framework. The most important reason for this recommendation is:
- Continuous evaluation, monitoring, and improvement
- The return on technology investment
- Continuous risk mitigation
- Continuous KRI monitoring
- What best indicates the level of information security governance?
- A defined maturity model
- The size of the security team
- The availability of policies and procedures
- The number of security incidents
- What is the most effective indicator of the level of security governance?
- The annual loss expectancy
- The maturity level
- A risk assessment
- An external audit